How to authenticate user to Firestore Go SDK? - firebase

I'm trying to use the Firestore Go SDK from a client application. This looks like a client-side SDK, based on the functions, but that might be my first error?
I'm struggling to authenticate the user to Firestore. I've already logged them in using the REST API for Firebase Auth. This returns me an ID token, refresh token, etc. How do I use this with the Firestore SDK?
The docs suggest I need to call firestore.NewClient(<context>, <project-id>, <option>). For the latter argument, I've tried option.WithCredentialsJSON(...) passing a JWT-decoded ID token. I've also tried passing the raw refresh token. In both cases, the SDK complains about what I'm passing.
How can I authenticate the user based on the tokens I've obtained?

The Go SDK for Firestore is meant to be used in a trusted environment, such as your development machine, a server you control, or Cloud Functions. It doesn't have a way to sign the user of the application in, but instead authenticates itself with the server with administrative credentials, which you'll don't want to have on non-trusted devices.

option.WithCredentialsJSON accepts not JWT token, but Google Application Default Credentials.
Other option is to provide path to the file with Google Application Default Credentials using environment variable GOOGLE_APPLICATION_CREDENTIALS since firebase sdk is a part of the cloud.google.com/go sdk.
Check out the examples (also with other options).
https://cloud.google.com/docs/authentication/production#auth-cloud-implicit-go
https://godoc.org/cloud.google.com/go#example-package--ApplicationDefaultCredentials

Related

How to Secure Firebase Realtime Database

This image shows the Authentication for my Firebase Database Security: Authentication
I only allow Email/Password Sign-in method, everything else is disabled.
I don't allow my users to sign in manually.
My Android app logs in via code and it uses just one set of Email/Password:
My question is how come I am still getting this warning: Warning
I've followed thru the enter link description here but this sample uses Google sign-in method. And all the other samples or discussion I've read use the same method. Has anyone here tried Email/Password Sign-in Method? Thanks!
That authentication and the firebase realtime database are different things. Your authentication method doesn't control who has access to that database.
This means that anyone who has access to the keys, will be able to access your db. So if your client app (Android / ios / web app) access the database directly, your users will be able to do that too.
To secure it you need to use specific read/write rules. Your best explanation will be from their documentation which can be found here https://firebase.google.com/docs/database/security

Flutter Firebase, logout other user than me

In my Flutter management application, I would like to disconnect a user other than the one I am logged in with.
I use Firebase as my database, and use email and a password to log in. I don't use a token
I know that in order to disconnect the user I am currently logged in with, it has to be done like this:
FirebaseAuth.instance.signOut();
I can't figure out how to disconnect another user.
In the Firebase client-side SDKs, you can only sign out the currently signed in user. There is no way to sign out a user on another device.
If you want to add user management functionality to your client-side application, you'll want to use a combination of the client-side SDK and a server-side Admin SDK to build this functionality:
Use the Admin SDK in a trusted environment (such as a server you control, or Cloud Functions) to implement the user management functionality.
Create an endpoint that clients can call that exposes this functionality, for example as a callable Cloud Function.
In that endpoint be sure to check whether the user is authorized, for example by checking their ID token to see if it has a certain UID or custom claim.
Call the custom endpoint from your client-side code.

Using firebase Idtoken instead of custom token without compromising security

I have following use cases:
I have cloud functions which are accessible with HTTP endpoint and they use authorization using custom token because the app is only accessible with certain IPs stored in RTDB so I have created one cloud function with will generate a custom token after signing in user using firebase client SDK and then it will create a custom token using admin SDK after checking IPs which are stored in RTDB.
Now with every subsequent call client will send token and functions will serve the request.
I have event listeners bound with the RTDB on a client and use file upload using client SDK which client initialize with firebaseApp.auth().signInWithCustomToken(custom token).
On the function side I use the same sign in the method that also utilizes my firebase SDK and then I serve that request. The problem here is this sign in the method is very slow like it is taking generally more than 1 second only in sign in.
Alternative
Now alternative is I can use id token which can be created using currentUser.getIdToken() on the client side itself and it takes barely few ms to decode that token but I cannot initialize SDK with that token. so I have to use admin SDK but my IP node in RTDB is not accessed by the normal user and can only be accessed with admin SDK, so if I use ADMIN SDK with Control Access with Custom Claims and Security Rules to give admin SDK similar access that the authorized user has then IP node will not be accessible.
Issues with id token
Id token can be refreshed on the client side so once a client has a custom token, It can generate as many tokens it wants and that is not desirable. Apart from that validating IP everytime is not the operation that I wanted to do so with custom token I only use that in generating a custom token and then for a refreshing token but with id token, this would not be possible as the client can generate it with SDK.
Basically, I have to use firebase SDK on the client side which will need custom token(for additional authorization check) to initialize and at the same time I call the clound function from the similar app so what is the best way to implement this use case.

Angularfire - Get email by uid? #askfirebase

I have an Ionic application using Firebase so I opted to use Angularfire. Currently running Angularfire4. In my application I store the uid and I want to get email related with that uid. I use the email/password login provided by firebase. How can I translate the uid to an email?
The only method found is when using nodejs.
The only data that is exposed in the client-side Authentication SDKs is the profile of the currently authenticated user.
There is no way to look up user data for a UID with the Firebase Authentication client-side SDKs. While admittedly convenient, it would make leaking user-data way too easy.
The only way to look up user data by UID is using the Admin SDK that you found. The idea is that you run those in a trusted environment (e.g. a server you control, or Cloud Functions) and selectively expose the user data that your app needs.

How can I retrieve the most recent simplelogin users?

Is there a firebase call that accepts a number and returns all simplelogins greater than or equal to that number?
For the avoidance of doubt, I'm not referring to data in my app, I'm referring to the list of users maintained separately by Firebase under the Login & Auth tab.
When I refresh users, the ajax call made by the firebase graphical debugger is this:
https://auth.firebase.com/v2/MYAPP/users?forge=true&token=XXX
But I can't get this to work with my secure JSON web token ("firebase secrets")
Firebase keeps the email/password information for users of your application in a separate database.
There is currently no official public API to access your email/password users. You can however see the users in the Login & Auth part of your Firebase's Dashboard.
Most applications that use Firebase Authentication store a copy of their users inside their database, i.e. under a /users node. They can then access it through Firebase's regular APIs.

Resources